b'THE CRIMINAL DIVISION\xe2\x80\x99S LAPTOP\n\nCOMPUTER ENCRYPTION PROGRAM\n\n        AND PRACTICES\n\n\n       U.S. Department of Justice\n\n     Office of the Inspector General\n\n              Audit Division\n\n\n          Audit Report 10-23\n\n             March 2010\n\n\x0c         THE CRIMINAL DIVISION\xe2\x80\x99S LAPTOP COMPUTER\n           ENCRYPTION PROGRAM AND PRACTICES\n\n                               TABLE OF CONTENTS\n                                                                                       Page\n\nINTRODUCTION ....................................................................         1\n\n     OIG Audit Approach .......................................................           2\n\n     OIG Results in Brief........................................................         3\n\n     Background ....................................................................      4\n\nFINDING AND RECOMMENDATIONS......................................                        10\n\n     The Criminal Division\xe2\x80\x99s Efforts to Ensure Safeguards\n\n       Over DOJ Data on Laptop Computers\n\n       Need Improvement ....................................................             10\n\n     Laptop Computers Owned by the Criminal Division ........                            10\n\n     Laptop Computers Owned by Contractors and\n\n       Subcontractors...........................................................         17\n\n     Recommendations..........................................................           19\n\n\nSTATEMENT ON INTERNAL CONTROLS..................................                         21\n\n\nSTATEMENT ON COMPLIANCE WITH LAWS\n\nAND REGULATIONS ..............................................................           22\n\n\nAPPENDIX I:\t          OBJECTIVES, SCOPE, AND METHODOLOGY ..                              23\n\n\nAPPENDIX II:\t ACRONYMS ..................................................                25\n\n\nAPPENDIX III: CRIMINAL DIVISION\xe2\x80\x99S RESPONSE...............                                26\n\n\nAPPENDIX IV:\t OFFICE OF THE INSPECTOR GENERAL\n\n              ANALYSIS AND SUMMARY OF ACTIONS \n\n              NECESSARY TO CLOSE THE REPORT.............                                 31\n\n\x0c                   THE CRIMINAL DIVISION\xe2\x80\x99S\n                 LAPTOP COMPUTER ENCRYPTION\n                   PROGRAM AND PRACTICES\n\n                               INTRODUCTION\n\n      Significant losses of sensitive data and personally identifiable\ninformation have occurred in both the government and in the private\nsector over the past few years. 1 For example, in May 2006 the\nDepartment of Veterans Affairs reported that a laptop computer\ncontaining personal information on approximately 26 million veterans\nand active duty military personnel had been stolen, and an\ninvestigation determined that the laptop was not encrypted. 2 In\nFebruary 2009 a federal judge approved the government\xe2\x80\x99s plans to\npay $20 million for out-of-pocket expenses for credit monitoring or\nphysical symptoms of emotional distress to veterans exposed to\npossible identity theft resulting from the laptop loss.\n\n      In 2009, the Department of Justice Office of the Inspector\nGeneral (OIG) issued a report on the Civil Division\xe2\x80\x99s laptop computer\nencryption program and practices in which we found significant\nweaknesses concerning unencrypted laptop computers used by its\ncontractors, subcontractors, and vendors and other issues. 3 The Civil\nDivision concurred with our findings and is in the process of\nimplementing corrective action, including ensuring that laptop\ncomputers used to process Department of Justice (DOJ) data are\nencrypted.\n\n      As a result of our findings in the Civil Division report, we initiated\nthis audit to assess the adequacy of laptop computer encryption\ndeployment practices in the Criminal Division. The Criminal Division is\nresponsible for prosecuting significant criminal cases of national\ninterests such as organized crime, money laundering and narcotics,\n\n\n       1\n          The term \xe2\x80\x9cpersonally identifiable information\xe2\x80\x9d refers to information that can\nbe used to distinguish or trace individuals\xe2\x80\x99 identity, such as their name and social\nsecurity number.\n       2\n        Encryption is the use of algorithms (i.e., mathematically expressed rules) to\nencode data in order to render it readable only for the intended recipient.\n       3\n          U.S. Department of Justice, Office of the Inspector General, The Civil\nDivision\xe2\x80\x99s Laptop Computer Encryption Program and Practices, Audit Report 09-33\n(July 2009).\n\n\n                                           1\n\n\x0cand dangerous drugs, and it treats all work processed on DOJ laptops\nas sensitive.\n\nOIG Audit Approach\n\n      Our audit objectives were to determine whether the Criminal\nDivision complies with federal and DOJ policies regarding: (1) the use\nof whole disk encryption on the laptop computers that Criminal\nDivision employees, contractors, subcontractors, and other vendors\nuse to process DOJ sensitive and classified information; and\n(2) encryption certification procedures for the laptop computers of\ncontractors, subcontractors, and other vendors providing services to\nthe Criminal Division.\n\n     The scope of our audit included two types of laptop computers:\n(1) laptops owned by the Criminal Division, and (2) laptops owned by\ncontractors, subcontractors, and other vendors working for the\nCriminal Division. The laptop computers owned by the Criminal\nDivision are mostly \xe2\x80\x9cpooled\xe2\x80\x9d laptops that are loaned to Criminal\nDivision employees and to contractors on an as-needed basis. All\nCriminal Division-owned laptop computers are authorized to process\n\xe2\x80\x9csensitive but unclassified\xe2\x80\x9d information.\n\n      During our audit, we interviewed officials within the Criminal\nDivision, Justice Management Division (JMD), and contractor personnel\nwith responsibility for encryption policy development and deployment\npractices. Additionally, we interviewed Procurement and Contracting\nStaff at JMD. Within the Criminal Division, we interviewed Contracting\nOfficer\xe2\x80\x99s Technical Representatives (COTR), Criminal Division\ncontractors and subcontractors, and attorneys regarding laptop data\nsecurity practices.\n\n       As of November 5, 2009, the Criminal Division had 799 laptops\nlisted in ARGIS, the Department\xe2\x80\x99s official property management\nsystem. We selected a sample of 40 laptops for testing and required\nthat the Section Laptop Managers, who are responsible for laptop\ncomputers within their section, log on to these laptops. For this\nsample, we verified that encryption software was completely installed\nand that the installation date was documented within the software.\nWe also followed up on a DOJ Computer Emergency Response Team\n\n\n\n\n                                  2\n\n\x0c(DOJCERT) incident report in May 2009 by the Criminal Division that\nrelated to the loss of a laptop computer. 4\n\n      We also tested non Criminal Division-owned laptops on two\nmajor contract types used by the Criminal Division, Mega 3 and the\nOffices, Boards, and Divisions (OBD 47) contracts for litigation\nsupport. We visited two off-site facilities to verify data security\npractices by a Mega 3 contractor and subcontractor. 5 From three\nCriminal Division sections, we selected 9 of 18 OBD 47 contractors to\ntest contractor-owned laptops for the installation of whole disk\nencryption software.\n\nOIG Results in Brief\n\nCriminal Division-Owned Laptop Computers\n\n      Our review found that of the 40 laptops we tested for encryption\nsoftware, 10 did not have encryption, and 9 of those 10 did not have\nWindows passwords enabled. All of the unencrypted laptops were in\none Criminal Division section, the International Criminal Investigative\nTraining Assistance Program (ICITAP), and all of those laptops\ncontained sensitive departmental data.\n\n      In addition to our testing of laptops for encryption, we found\nweaknesses in other areas of the Criminal Division\xe2\x80\x99s laptop encryption\nprogram. We determined that at least 43 laptops did not comply with\nDOJ standards and Criminal Division requirements for laptop security\nsettings. 6 Also, documentation was not maintained to verify the\nsuccessful installation of whole disk encryption software for all laptop\ncomputers. In addition, the Criminal Division was unable to produce\nan accurate inventory of the universe of laptop computers it owns from\nARGIS, DOJ\xe2\x80\x99s official property management system.\n\n\n       4\n          DOJCERT is a reporting and tracking system that provides support of the\nresolution of issues that could disrupt working operations of the Department of\nJustice\'s Information Technology (IT) systems. DOJCERT is responsible for\ncoordination and support of all response activities.\n       5\n         The Criminal Division COTR and Mega 3 contractors stated that Mega 3\ncontracted litigation support providers do not use laptop computers. Therefore, we\ndid not have any Mega 3 laptops to test.\n       6\n         As we explain in detail in the Baseline Configuration Section of this report,\nwe confirmed with Information Technology Management that 43 laptops were not in\ncompliance with DOJ requirements.\n\n\n                                           3\n\n\x0cNon-Criminal Division-Owned Laptop Computers\n\n      We found serious deficiencies with the OBD 47 contractor-owned\nlaptops. Specifically, seven out of nine OBD 47 contractors we tested\nprocessed sensitive Department data on laptops without encryption.\n\n      In addition to our testing of contractor laptops for encryption, we\nfound weaknesses in oversight of data security policies for the Criminal\nDivision\xe2\x80\x99s contractors. For both the Mega 3 and OBD 47 contracts, we\nfound that these contracts did not have the required security clause\nrequiring encryption, and the Criminal Division had not implemented\nalternative controls to compensate for the contract deficiencies.\n\nBackground\n\n      The Criminal Division develops, enforces, and supervises the\napplication of federal criminal laws, except those specifically assigned\nto other components such as the Antitrust, Civil Rights, Environment\nand Natural Resources, and Tax Divisions. The Criminal Division and\nthe 93 U.S. Attorneys have the responsibility for overseeing criminal\nmatters under more than 900 statutes as well as certain civil litigation.\nIn addition to its direct litigation responsibilities, the Criminal Division\nformulates and implements criminal enforcement policy.\n\n       The Criminal Division also approves or monitors sensitive areas\nof law enforcement, such as participation in the Witness Security\nProgram and the use of electronic surveillance; advises the Attorney\nGeneral, Congress, the Office of Management and Budget (OMB), and\nthe White House on matters of criminal law; provides legal advice and\nassistance to federal prosecutors and investigative agencies; and\nprovides help to coordinate international as well as federal, state, and\nlocal law enforcement matters.\n\n      As of January 2010, the Criminal Division had 747 full-time\nemployees on-board. It is comprised of but not limited to the\nfollowing sections: Organized Crime and Racketeering Section\n(OCRS); Asset Forfeiture and Money Laundering Section (AFMLS);\nFraud Section (FRD); Computer Crime and Intellectual Property\nSection (CCIPS); International Criminal Investigative Training\nAssistance Program (ICITAP); Domestic Security Section (DSS); Child\nExploitation and Obscenity Section (CEOS); Office of Overseas\nProsecutorial Assistance, Development and Training (OPDAT); Narcotic\nand Dangerous Drug Section (NDDS); and Office of Enforcement\nOperations (OEO).\n\n\n                                     4\n\n\x0c      The Criminal Division\xe2\x80\x99s Information Technology Management\ngroup is responsible for the implementation and oversight of laptop\nsecurity throughout the Division. The Information Technology\nManagement staff installs encryption software for Criminal Division\nlaptops and provides technical support.\n\n        In its work, the Criminal Division uses contractors,\nsubcontractors, and other vendors (such as expert witnesses,\nspecialists, and consultants) to assist with its wide range of duties.\nThe two major contract types used by the Criminal Division to obtain\nlitigation support services are the Mega 3 and the OBD 47 contracts. 7\nContracted litigation support providers help acquire, organize, develop,\nand present evidence throughout the litigation process.\n\n       During our audit, we requested from the Criminal Division a list\nof contractors supporting the Division. In December 2009, the\nCriminal Division provided us with a list of 168 full-time contractors.\nThis list included some Mega 3 contractors, but the Criminal Division\nwas unable to provide an accurate number of Mega 3 contractors from\nthe list of 168 contractors during audit field work.\n\n      In order to identify an accurate number of OBD 47 contractors,\nwe requested a list from the Criminal Division\xe2\x80\x99s Office of\nAdministration (ADMIN). We also selected a sample of three sections\n(Fraud, Asset Forfeiture and Money Laundering, and Office of Special\nInvestigations) to review OBD 47 contractor compliance with the DOJ\nProcurement Guidance Document (PGD) 08-04, and we received\nseparate contracting lists from each of these three sections. However,\nwe noted a material difference between the list provided by ADMIN\nand the section specific lists. Specifically, the three sections sampled\nfor OBD 47 review provided us with 24 contracts, but 8 of those 24\ncontracts were not included on the list provided by ADMIN. These 24\ncontracts covered 18 distinct OBD 47 contracting entities. 8 Therefore,\nthe ADMIN provided list is not a complete and accurate account of the\nOBD 47 contracts. Subsequently, the Criminal Division was unable to\nconfirm an accurate number of OBD 47 contractors.\n\n       7\n         The Mega 3 contracts provide automated litigation support services and the\nOBD 47 contracts are used to procure the services of expert witnesses or litigation\nconsultants. See Appendix I, Objectives, Scope, and Methodology for more details.\n       8\n          Our testing of OBD 47 contractors (individuals and companies) differs from\nthe total number of contracts reviewed because an OBD 47 contractor may be\nresponsible for working on multiple contracts.\n\n\n                                         5\n\n\x0cLaptop Encryption Policy within the DOJ\n\n      DOJ Order 2640.2F establishes laptop encryption policy for DOJ\nemployees and contractors. Chapter 2, section 12 states that\ninformation on mobile computers or devices (e.g., notebook\ncomputers, personal digital assistants) and removable media shall be\nencrypted using a National Institute of Standards and Technology\n(NIST), Federal Information Processing Standards (FIPS) 140-2\nvalidated or National Security Agency (NSA) approved encryption\nmechanisms.\n\nLaptop Encryption Policy for Contractors\n\n      On March 20, 2008, the Department\xe2\x80\x99s Senior Procurement\nExecutive issued DOJ PGD 08-04, Security of Systems and Data,\nIncluding Personally Identifiable Information. PGD 08-04 contains a\nsecurity clause addressing Department systems and data, including\nprovisions governing the use of laptops by contractors, that must be\nincluded in all current and future contracts where a contractor handles\ndata that originated within the Department, data that the contractor\nmanages or acquires for the Department, and data that is acquired in\norder to perform the contract and concerns Department programs or\npersonnel. In addition, the contractor must comply with all security\nrequirements applicable to Department systems, and the use of\ncontractor-owned laptops or other media storage devices to process or\nstore data covered by the clause is prohibited until the contractor\nprovides a letter to the contracting officer certifying the following\nrequirements:\n\n  1. Laptops must employ encryption using a FIPS 140-2 approved\n     product;\n\n  2. The contractor must develop and implement a process to ensure\n     that security and other applications software is kept up-to-date;\n\n  3. Mobile computing devices must utilize anti-viral software and a\n     host-based firewall mechanism;\n\n  4. The contractor must log all computer-readable data extracts\n     from databases holding sensitive information and verify each\n     extract including sensitive data has been erased within 90 days\n     or its use is still required. All DOJ information is considered\n\n\n\n                                   6\n\n\x0c     sensitive information unless designated as non-sensitive by the\n     Department;\n\n  5. Contractor-owned removable media, such as removable hard\n     drives, flash drives, CDs, and floppy disks, containing DOJ data,\n     must not be removed from DOJ facilities unless encrypted using\n     a FIPS 140-2 approved product;\n\n  6. When no longer needed, all removable media and laptop hard\n     drives shall be processed (sanitized, degaussed, or destroyed) in\n     accordance with security requirements applicable to DOJ;\n\n  7. Contracting firms shall keep an accurate inventory of devices\n     used on DOJ contracts;\n\n  8. Rules of behavior must be signed by users.\t These rules must\n     address at a minimum: authorized and official use; prohibition\n     against unauthorized users; and protection of sensitive data and\n     personally identifiable information; and\n\n  9. All DOJ data will be removed from contractor-owned laptops\n     upon termination of contractor work. This removal must be\n     accomplished in accordance with DOJ Information Technology\n     (IT) Security Standard requirements. Certification of data\n     removal will be performed by the contractor\xe2\x80\x99s project manager\n     and a letter confirming certification will be delivered to the DOJ\n     Contracting Officer within 15 days of termination of contractor\n     work.\n\n      These requirements also apply to all subcontractors who perform\nwork in connection with Department contracts. For each\nsubcontractor, the contractor must certify that it has required the\nsubcontractor to adhere to all such security requirements. Any breach\nby a subcontractor of any of the provisions is attributable to the\ncontractor.\n\n      According to PGD 08-04, all current Department contracts must\nbe modified to include the applicable clause within 60 days of the date\nof the issuance of the guidance, which was March 20, 2008, after\nwhich, laptops or devices not covered by certification letters may not\nbe used on DOJ contracts. A request for a waiver from the\nrequirement to include these clauses, or any deviations from the\nlanguage of these clauses (except those that are more stringent),\nmust be made in writing to the DOJ Senior Procurement Executive.\n\n\n                                   7\n\n\x0cAccording to the Senior Procurement Executive, permission for a\ndeviation or waiver is only granted in unusual circumstances.\n\nCivil Division\xe2\x80\x99s Request for a Waiver of Implementation of PGD 08-04,\n\xe2\x80\x9cCivil Waiver\xe2\x80\x9d\n\n      In July 2008, in response to the PGD 08-04 document, the Civil\nDivision issued a memorandum to the Senior Procurement Executive\nrequesting an exemption from the requirement to incorporate the\nsecurity clause into the Mega 3 contractors on behalf of all litigating\ncomponents, which includes the Criminal Division.\n\n      In January 2009, the Senior Procurement Executive granted a\nwaiver to exempt the security clause from being incorporated into the\nMega 3 contracts after the Civil Division provided the following\nrequirements to ensure that data security measures were implemented\nand enforced for the Mega 3 contracts:\n\n         1. data security guidance and instructions that were issued to\n            vendors;\n\n         2. written acknowledgement from the contractors that they\n            have received and accepted that data security guidance\n            and instructions;\n\n         3. a statement by contractors agreeing to provide the data\n            security guidance and instructions to all applicable\n            employees and subcontractors and to provide adequate\n            security training; and\n\n         4. a more detailed description of the steps that were taken\n            and would be taken to ensure that data security measures\n            are implemented and enforced.\n\n     As requested, the Civil Division provided documentation to JMD\non how the Civil Division would meet the IT security requirements for\nMega 3 contracts only. The Senior Procurement Executive did not\naddress any other contract vehicles other than Mega 3 contracts in his\nJanuary 2009 memo. As a result, the waiver only applied to the\nMega 3 contracts and did not apply to the OBD 47 contracts.\n\n     During our audit of the Criminal Division, JMD informed us that\nthe waiver applied to all litigating divisions. However, the Criminal\n\n\n\n                                   8\n\n\x0cDivision officials were unaware of the PGD 08-04 security clause and\nthe waiver.\n\nImpact of the Waiver\n\n      Although the Civil Division was granted the waiver for the\nMega 3 contracts on behalf of all litigating Divisions, including the\nCriminal Division, the revised Rules of Behavior for the Mega 3\ncontracts still required that contractors encrypt all Departmental data\nstored on laptops and on removable media being transported outside\nthe Department\xe2\x80\x99s physical perimeter. Therefore, regardless of the\nwaiver, Mega 3 contractors, subcontractors, and vendors are still\nrequired to encrypt all laptop computers processing DOJ data.\n\n\n\n\n                                   9\n\n\x0c            FINDING AND RECOMMENDATIONS\n\n     The Criminal Division\xe2\x80\x99s Efforts to Ensure Safeguards Over\n     DOJ Data on Laptop Computers Need Improvement\n\n     We found that for laptops owned by the Criminal Division:\n     (1) at one Criminal Division section, ICITAP, laptop\n     computers used to process sensitive DOJ data were not\n     encrypted; (2) at two Criminal Division sections (ICITAP\n     and CCIPS), baseline configurations were not consistent\n     with DOJ requirements for all laptop computers used to\n     process DOJ data; (3) the Criminal Division did not\n     maintain documentation to verify the successful\n     installation of whole disk encryption software for all laptop\n     computers; and (4) the Criminal Division did not maintain\n     a complete and accurate laptop inventory in ARGIS.\n\n     In addition, the Criminal Division\xe2\x80\x99s efforts to ensure\n     contractor safeguards over DOJ data need immediate\n     attention to correct significant weaknesses. We found\n     that: (1) contractor laptops used to process sensitive DOJ\n     data were not encrypted; and (2) the Criminal Division did\n     not provide sufficient oversight regarding the enforcement\n     of data security measures for OBD 47 and Mega 3\n     contracts.\n\nLaptop Computers Owned by the Criminal Division\n\nEncryption Test Results\n\n       DOJ Order 2640, 2F Chapter 2 Section 12, Protection of Mobile\nComputers/Devices and Removable Media, notes that information\nphysically transported outside of the Department\xe2\x80\x99s secured physical\nperimeter is more vulnerable to compromise. The intent of this policy\nis to compensate for protections not provided by physical security\ncontrols when information is removed from the component location.\nIn accord with this Order, information on mobile computers/devices\n(e.g., notebook computers, personal digital assistants) and removable\nmedia must be encrypted using FIPS 140-2 validated or NSA approved\nencryption mechanism. In addition, the Order requires DOJ\ncomponents to ensure that all security related updates are installed on\nmobile computers and devices.\n\n\n\n\n                                  10\n\n\x0c      The Criminal Division\xe2\x80\x99s Standard Operating Procedures (SOP),\nStand Alone Laptop PC Management Version 4.2, requires that the\nDivision\xe2\x80\x99s laptop System Administrator install PointSec hard drive\nencryption software on each laptop.\n\n      To test the encryption of Criminal Division laptops, we sampled\n40 laptop computers from 7 Criminal Division sections. Our tests\nfound that laptops within the Criminal Division\xe2\x80\x99s International Criminal\nInvestigative Training Assistance Program (ICITAP) section were not\nencrypted. However, each of the laptop computers we tested in the\nother six Criminal Division sections were encrypted.\n\n      We noted that all 10 of the sampled ICITAP laptops used to\nprocess DOJ Data were not encrypted. 9 In addition to not having\nwhole disk encryption, the laptops contained DOJ documentation such\nas reports, a management video, and field notes for ICITAP work. For\nexample, the laptops included the following data:\n\n   \xe2\x80\xa2\t Attorney General Weekly Submission-Iraq Program;\n\n   \xe2\x80\xa2\t International Development and Training Programs - Iraq\n      Program Update, was marked for Internal Distribution Only;\n\n   \xe2\x80\xa2\t Iraqi Program Accomplishments report based on Police,\n\n      Corrections, and Commissions on Public Integrity; and\n\n\n   \xe2\x80\xa2\t Pakistan Program Management Evaluation Report.\n\n       We asked ICITAP and Information Technology Management\nofficials whether they were aware that sensitive DOJ data was stored\non these laptops. ICITAP officials stated that these laptops were in\nuse by ICITAP staff, but they were unaware of what files were stored\non the laptops and the nature of their sensitivity. Information\nTechnology Management officials stated that they were unaware that\nthe laptops were unencrypted.\n\n     We also asked for the procurement documentation for the 10\nICITAP unencrypted laptops from the Criminal Division\xe2\x80\x99s ICITAP and\nInformation Technology Management sections. However, they were\nunable to provide the OIG with information regarding the procurement\n\n      9\n         These laptops were selected because we considered them to be high risk\nsince they were not listed on Information Technology Management\xe2\x80\x99s laptop loaner\npool inventory and therefore they may not have received Information Technology\nManagement oversight.\n\n\n                                       11\n\n\x0c of the 10 unencrypted laptops. ICITAP and Information Technology\n Management informed us that they would search for the purchase\n orders for the unencrypted laptops. However, we received an e-mail\n from a member of the Information Technology Management staff\n indicating that the purchase orders could not be found by either\n section.\n\n      Additionally, ICITAP officials informed the OIG that they believed\nthe laptops went through Criminal Division\xe2\x80\x98s Information Technology\nManagement as directed by Criminal Division policy. However,\nInformation Technology Management was unable to determine\nwhether the laptops came through their section prior to use for proper\nconfiguration including encryption. Although Information Technology\nManagement is responsible for maintaining oversight of laptop security\nthroughout the Division, it was unaware that these laptops did not\nreceive the approved configuration baseline.\n\nBaseline Configuration Non-Compliance\n\n      Criminal Division, Information Technology Management SOP,\nStand Alone Laptop PC Management Version 4.2, requires that the\nlaptop System Administrator keep laptop images up to date. If major\nhardware and software updates are needed, a Change For Request\nmust be submitted and a new image must be created.\n\n       DOJ Order 2640, 2F Section 5, Technical Security Policy, states\nthat in accordance with DOJ IT Security Standard \xe2\x80\x93 Identification and\nAuthentication (IA) Control, component IT systems shall identify: IT\nsystem users; processes acting on behalf of users; or devices, and\nthat component IT systems shall authenticate (or verify) the identities\nof those users, processes, or devices, as a prerequisite to allowing\naccess to component IT systems.\n\n      DOJ Information Technology Security Standard, Access Control\nVersion 2.2 (control AC-08), requires that all DOJ systems display an\napproved notification message before granting access to the system.\nThe warning banner is required to be designed to remain on the laptop\ncomputers\xe2\x80\x99 screen until the user logs on to the information system.\nThe warning banners are required to be designed to alert potential\nsystem users that they are about to access a federal government\nsystem. Additionally, the banner must warn the potential user of DOJ\nsystem access criteria and ramifications for illegal and unauthorized\nsystem use. The warning banner also should contain DOJ\xe2\x80\x99s privacy\nand security notices.\n\n\n                                  12\n\n\x0c      Baseline configurations provide information about the standard\nsoftware loaded for a workstation or notebook computer including\nupdated patch information. Also, baseline configurations provide\nminimum information system settings such as password length and\ncomposition.\n\n       We selected a sample of laptops for testing based on the number\nof laptops in each section and the sensitivity of the type of work\nperformed in that section. Specifically, we tested 5 laptops each from\nthe Computer Crimes and Intellectual Property section (CCIPS), Fraud,\nAFMLS, OPDAT, Office of Enforcement Operations, and Narcotics and\nDangerous Drug Section, and 10 from ICITAP.\n\n      We found that laptops imaged at CCIPS and ICITAP do not have\nthe Information Technology Management approved baselines installed.\nSpecifically, we noted that of the 40 laptops we tested:\n\n        \xe2\x80\xa2\t 4 CCIPS and 10 ICITAP laptops did not display a warning\n           banner.\n\n        \xe2\x80\xa2\t 9 ICITAP laptops did not require a Windows password to\n           access the system.\n\n      During our testing, we noted that four of the five laptops\nselected for sampling at CCIPS did not display a warning banner.\nCCIPS stated that laptop computers are re-imaged between usages.\nHowever, we subsequently learned that the images that are used were\nnot provided by the Criminal Division\xe2\x80\x99s Information Technology\nManagement section as required by policy. Instead, CCIPS created an\nimage used for their laptops that does not meet the approved DOJ\nconfiguration baselines.\n\n       During our testing, an Information Technology Management\nofficial became aware of this issue. Based on our results, Information\nTechnology Management staff scanned the CCIPS laptops to review the\nconfiguration settings. The result of those scans concluded that the\nCCIPS image was not in compliance with DOJ requirements, including\nmaintaining audit logs, password length, and password complexity.\nCCIPS informed us that 33 laptops were imaged incorrectly, including\n4 of 5 we tested.\n\n     We were informed by a CCIPS official that the section had re-\nimaged its own laptops based on the need for its attorneys to access\n\n\n                                  13\n\n\x0cparticular applications and run programs that require administrative\naccess that Information Technology Management\xe2\x80\x99s image does not\nallow. According to CCIPS, it received authorization from Information\nTechnology Management to perform the re-imaging of its laptops. We\nrequested verification of this authorization from Information\nTechnology Management and CCIPS; however, neither was able to\nprovide us with documentation to substantiate this agreement.\n\n      ICITAP also had configuration issues with each of the 10 laptops\nwe tested. Information Technology Management officials informed us\nthat they have removed all laptops from operation for further analysis,\nas directed by the Criminal Division\xe2\x80\x99s Chief Information Officer. After\nperforming scans of the ICITAP laptop computers baseline\nconfigurations, an Information Technology Management official\ninformed us that the laptops did not meet DOJ requirements such as\nwhole disk encryption, audit logs, password length, and password\ncomplexity.\n\n       During our testing at ICITAP, we also found Limewire, an\nunauthorized software program, installed and running on one of the\nunencrypted ICITAP laptop computers. Limewire is a free peer-to-peer\nfile sharing client that makes computers vulnerable by allowing\nunauthorized access. Limewire may also allow access to any file on a\nuser\xe2\x80\x99s computer, including documents with personal information or\nDOJ sensitive data, and it allows the dissemination of potentially\nharmful viruses and malware. 10 For example, a laptop with Limewire\nmay allow an unauthorized user to obtain confidential reports such as\nthe International Development and Training Programs-Iraq Program\nUpdate discussed previously. Publicly accessible peer-to-peer file\nsharing technology is not permitted according to the DOJ IT Security\nStandards, Systems and Services Acquisitions.\n\n      ICITAP officials were unaware that the unauthorized Limewire\nsoftware had been installed on the laptop computer. As a result of our\ntesting, Information Technology Management recalled the 10 ICITAP\nlaptops we tested for further analysis, and it plans to surplus or re-\nimage the laptops.\n\n\n\n      10\n            Malware refers to a program that is inserted into a system, usually\ncovertly, with the intent of compromising the confidentiality, integrity, and\navailability of the victim\xe2\x80\x99s data, application, or operating system. Malware has\nbecome the most significant external threat to most systems, causing widespread\ndamage and disruption, and requiring extensive recovery efforts.\n\n\n                                        14\n\n\x0cEncryption Installation Records Not Maintained\n\n       DOJ Order 2640.2F Information Technology Security, Audit and\nAccountability, Chapter 1, Section 5, states that DOJ components\nshould create, protect, and retain IT system audit records to the\nextent needed to enable security monitoring, analysis, investigation\nand reporting of unlawful, unauthorized, or inappropriate IT system\nactivity.\n\n      Based on our review of a DOJCERT incident that involved the\ntheft of an unencrypted laptop computer in May 2009 from the trunk\nof an attorney\xe2\x80\x99s car from the Criminal Division\xe2\x80\x99s Fraud section, we\nfound that Criminal Division laptop encryption records are not\nmaintained. We met with Information Technology Management staff\nto determine the stolen laptop\xe2\x80\x99s level of encryption. Information\nTechnology Management staff stated that it does not allow any\nunencrypted laptop computers to be deployed; however, they could\nnot provide documentation showing evidence when or if the encryption\nsoftware was installed on any laptop. As a result the Criminal Division\nis unable to provide sufficient evidence that encryption software was\nappropriately installed.\n\n      We contacted the attorney whose laptop was stolen in May 2009.\nThe attorney reported that he believed the laptop was encrypted and\nthat multiple layers of authentication were required to access the\nlaptop, including PointSec encryption software. The attorney and\nInformation Technology Management staff further stated that little to\nno DOJ data was stored on the laptop. The attorney stated that the\ndata was saved to a U.S. Attorney-issued biometric thumb drive, which\nwas not stolen and that any information left on the laptop was limited\nsince the laptop was recently put into service.\n\n      Based on our results, Information Technology Management staff\nplan to add a field within their internal database to track laptop\nencryption installation on all Criminal Division laptops.\n\nLaptop Inventory Discrepancies\n\n      Office of Management and Budget (OMB) Circular A-130 requires\nthat a complete inventory of information resources, including\npersonnel, equipment, and funds devoted to information resources\nmanagement and information technology, be maintained to an\nappropriate level of detail.\n\n\n\n                                  15\n\n\x0c       We reviewed several laptop inventories from the Criminal\nDivision during this audit. Information Technology Management staff\nprovided us two lists: the first from their internal inventory, which\nincludes its laptop loaner pool, and the second from ARGIS, which is\nthe Department\xe2\x80\x99s official property management system. In addition,\ntwo out of the seven Criminal Division sections we reviewed\nmaintained their own independent inventories and provided us with\ncopies of the inventories. The other five sections did not maintain\ntheir own inventories. We noted several discrepancies between ARGIS\nand the two sections (ICITAP and CCIPS) that maintained internal\ninventories.\n\n      Initially, the Criminal Division provided the audit team with the\nDOJ\xe2\x80\x99s official inventory from ARGIS. As of November 5, 2009, we\nnoted that the Criminal Division had 799 laptops.\n\n      We compared the ARGIS inventory to the Information\nTechnology Management\xe2\x80\x99s internal laptop loaner pool inventory, which\ntracks specific laptops used by Criminal Division\xe2\x80\x99s employees,\ncontractors and vendors performing work across all sections. All\nlaptops on the Information Technology Management\xe2\x80\x99s laptop loaner\npool inventory reconciled with ARGIS.\n\n        We then reconciled ARGIS to ICITAP\xe2\x80\x99s two internal inventory\nlists, one for Information Technology Management-provided laptops for\nICITAP Headquarters and another for laptops that are provided to\nforeign field offices through a State Department-funded program.\nWhile reviewing both ICITAP inventories, we noted initially that at least\none laptop was not included in the ARGIS inventory. This one laptop\nwas eventually found on the ARGIS inventory by the Criminal Division;\nit was documented erroneously on the list. However, after bringing\nthis to ICITAP\xe2\x80\x99s attention, further inspection by ICITAP revealed that\n11 of their laptops were not in the ARGIS inventory. To perform their\ninspection, ICITAP used a more updated list than the one we were\noriginally provided. An ICITAP official explained that laptops may have\nbeen dropped from the ARGIS system due to system or operator\nerror. 11\n\n      We also reconciled ARGIS to CCIPS\xe2\x80\x99s internal inventory of\nlaptops and found discrepancies. Specifically, nine laptops on the\n\n\n       11\n          According to the Criminal Division, ARGIS is known to randomly purge\nrecords, resulting in inaccurate inventories. The Department is seeking to replace\nthe ARGIS system in the near future.\n\n\n                                         16\n\n\x0cCCIPS inventory were not listed in ARGIS. According to CCIPS, it does\nnot have access to ARGIS and therefore did not reconcile their internal\nlist to ARGIS.\n\n       Without an accurate accounting in the officially approved\ninventory, the Criminal Division is unable to ensure that all required\nlaptop computers are encrypted and deployed compliant with DOJ\npolicies.\n\nLaptop Computers Owned by Contractors and Subcontractors\n\nOBD 47 Contractor Compliance with PGD 08-04\n\n       As previously discussed in the background section of this report,\nthe DOJ PGD 08-04 document requires that laptops must employ\nencryption using a FIPS 140-2 approved product. The document also\nstates that the contractor agrees that in the event of any actual or\nsuspected breach of DOJ data (such as loss of control, compromise,\nunauthorized disclosure, access for an unauthorized purpose, or other\nunauthorized access, whether physical or electronic), the contractor\nwill immediately (and in no event later than within 1 hour of discovery)\nreport the breach to the DOJ Contracting Officer and the COTR.\n\n      During our audit, we sampled laptops in 9 of 18 OBD 47\ncontractors in the Fraud Section, Asset Forfeiture and Money\nLaundering Section (AFMLS), and Office of Special Investigations\nlocated in Washington, DC; Boston; New York; and Miami. We found\nthat:\n\n   \xe2\x80\xa2\t The OBD 47 contracts did not contain the required PGD 08-04\n      clause;\n\n   \xe2\x80\xa2\t Seven of the nine contractors we sampled processed DOJ data\n      on laptops that were not encrypted;\n\n   \xe2\x80\xa2\t The Criminal Division did not provide sufficient oversight of data\n      security on the contractors\xe2\x80\x99 laptops. The Criminal Division did\n      not provide DOJ requirements to the OBD 47 contractors\n      regarding standard policies and procedures regarding data\n      security, including encryption requirements and procedures for\n      addressing data breaches.\n\n     Specifically, on our testing of the OBD 47 contractors, we found\nunencrypted laptops that contained sensitive DOJ data such as case\n\n\n                                   17\n\n\x0crelated files containing information on financial corruption, medical\nrecords, and information involving genocide. We found that in some\ncases, the laptops may have been used by contractors\xe2\x80\x99 family\nmembers for personal use.\n\n      Furthermore, these OBD 47 contractors did not receive specific\nguidance and oversight from the Criminal Division regarding data\nsecurity measures. By not enforcing the PGD 08-04 clause for its\ncontract employees, we concluded that the Criminal Division is placing\nDOJ data at high risk to loss, corruption, or disclosure.\n\nMega 3 Contractor Compliance with PGD 08-04\n\n      The Criminal Division also uses three Mega 3 contractors: CACI\nInternational Incorporated, Labat-Anderson Incorporated, and\nLockheed Martin. We reviewed the contracting documentation and\nwaiver implementation for these contractors and performed interviews\nand site visits.\n\n       We found that the Criminal Division\xe2\x80\x99s Mega 3 contracts do not\ncomply with the PGD 08-04 clause. As noted above, these contracts\nhave a waiver; however, this waiver requires that alternate security\nmeasures be implemented. Although the Mega 3 contractors at the\nCriminal Division do not use non-DOJ laptops, they are still required to\nsatisfy other requirements. For example, the Criminal Division should\nbe issuing security guidance, maintaining signed rules of behavior, and\nconducting site visits of contractor facilities as a part of the provisions\nof the waiver. Based on our review, the Criminal Division is providing\nlimited security guidance to the Mega 3 contractors and maintaining\nsigned rules of behavior. However, we noted that the Criminal\nDivision is not conducting site visits in accordance with the oversight\nprocedures specific to the waiver for Mega 3 contractors.\n\n      When we asked the Criminal Division whether it had\nimplemented measures to satisfy compliance with the waiver, the\nCriminal Division COTR was unaware that any oversight procedures\nwere required.\n\n\n\n\n                                    18\n\n\x0c      We also conducted two site visits (one Mega 3 contractor and\none subcontractor) to test Criminal Division\xe2\x80\x99s oversight of the Waiver\nprovisions. We found that:\n\n         \xe2\x80\xa2\t The Criminal Division was not conducting site visits to\n            determine compliance with DOJ requirements;\n\n         \xe2\x80\xa2\t There were no locks on the subcontractors\xe2\x80\x99 rooms where\n            they process DOJ information; and\n\n         \xe2\x80\xa2\t Standalone computers used to process information were\n            not secured via password-protected screensavers.\n\n      In sum, we found that contractors performing work for the\nCriminal Division are not securing data in accord with DOJ\nrequirements. We believe that, by not enforcing the Waiver, the\nCriminal Division is placing DOJ data at high risk of loss, corruption, or\ndisclosure.\n\nRecommendations\n\n      As a result of the issues identified in this report, we make 1\nrecommendations to the Criminal Division to enhance its safeguards\nover DOJ data on laptop computers.\n\n     We recommend that the Criminal Division:\n\n     1.\t Ensure that all current Criminal Division-owned laptops are\n         encrypted.\n\n     2.\t Provide all laptops to Information Technology Management\n         staff for encryption prior to use.\n\n     3.\t Formalize laptop procurement procedures to ensure that\n         laptops are appropriately inventoried, encrypted, and\n         processed through Information Technology Management per\n         Criminal Division policy.\n\n     4.\t Ensure that the Information Technology Management staff\n         approves baseline configurations using DOJ standards on all\n         laptops used for DOJ processing.\n\n     5.\t Ensure that a record of encryption is maintained for all\n         Criminal Division-owned Laptops.\n\n\n                                    19\n\n\x0c6.\t Enhance procedures for ensuring that the official inventory\n    database, ARGIS, maintains accurate and reliable\n    information for all Criminal Division-owned laptop computers.\n\n7.\t Ensure that all contractor-owned laptop computers used to\n    process DOJ data are encrypted or require contractors to use\n    encrypted Criminal Division provided hardware.\n\n8.\t Ensure that Criminal Division contract support providers are\n    aware of security procedures for handling DOJ data in\n    accordance with DOJ policy.\n\n9.\t Implement the PGD 08-04 clause in all OBD 47 contracts.\n\n10. Implement the conditions of the waiver pertaining to the\n    PGD 08-04 clause for Mega 3 contracts.\n\n\n\n\n                            20\n\n\x0c           STATEMENT ON INTERNAL CONTROLS\n\n       As required by the Government Auditing Standards, we tested,\nas appropriate, internal controls significant within the context of our\naudit objectives. A deficiency in an internal control exists when the\ndesign or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned\nfunctions, to timely prevent or detect: (1) impairments to the\neffectiveness and efficiency of operations, (2) misstatements in\nfinancial or performance information, or (3) violations of laws and\nregulations.\n\n      Our evaluation of the Criminal Division\xe2\x80\x99s internal controls was\nnot made for the purpose of providing assurance on its internal control\nstructure as a whole. The Criminal Division\xe2\x80\x99s management is\nresponsible for the establishment and maintenance of internal controls.\n\n       As noted in the Finding section of this report, we identified\ndeficiencies in the Criminal Division\xe2\x80\x99s internal controls that are\nsignificant within the context of the audit objectives and, based upon\nthe audit work performed, that we believe adversely affect the\nCriminal Division\xe2\x80\x99s ability to ensure that DOJ data is appropriately\nprotected from unauthorized access, use, disclosure, disruption,\nmodification, or destruction.\n\n      Because we are not expressing an opinion on the Criminal\nDivision\xe2\x80\x99s internal control structure as a whole, this statement is\nintended solely for the information and use of the Criminal Division\nand the Department of Justice. This restriction is not intended to limit\nthe distribution of this report, which is a matter of public record.\n\n\n\n\n                                   21\n\n\x0c                STATEMENT ON COMPLIANCE \n\n               WITH LAWS AND REGULATIONS\n\n\n      As required by the Government Auditing Standards we tested, as\nappropriate given our audit scope and objectives, selected\ntransactions, records, procedures, and practices to obtain reasonable\nassurance that the Criminal Division\xe2\x80\x99s management complied with\nfederal laws and regulations, for which non-compliance, in our\njudgment, could have a material effect on the results of our audit. The\nCriminal Division\xe2\x80\x99s management is responsible for ensuring compliance\nwith federal laws and regulations applicable to the information security\ncontrols. In planning our audit, we identified the following laws and\nregulations that concerned the operations of the Criminal Division and\nthat were significant within the context of the audit objectives:\n\n    \xe2\x80\xa2\t Senior Procurement Executive Procurement\n\n       Guidance Document (PGD) 08-04,\n\n    \xe2\x80\xa2\t Protection of Department Sensitive Information on Laptop and\n       Mobile Computing Devices OMB M-07-16,\n    \xe2\x80\xa2\t OMB Circular A-130,\n    \xe2\x80\xa2\t DOJ Order 2640.2F, and\n    \xe2\x80\xa2\t DOJ IT Security Standards.\n\n      Our audit included examining, on a test basis, the Criminal\nDivision\xe2\x80\x99s compliance with the aforementioned laws and regulations\nthat could have a material effect on the Criminal Division\xe2\x80\x99s operations.\nWe interviewed key personnel within the Criminal Division, as well as\nperformed a physical review on selected Criminal Division-owned\nlaptop computers. Additionally, we contacted a select group of\nvendors contracted to provide litigation support services to the\nCriminal Division.\n\n      As noted in the Finding section of this report, we found that\nsome of the tested Criminal Division-owned laptop computers were not\nencrypted as required by DOJ policy. Also, improvements are needed\nwith the Criminal Division\xe2\x80\x99s laptop computer program and practices in\nthe areas of laptop inventory and warning banners. Finally, significant\nimprovements are required on the use of non-Criminal Division laptop\ncomputers by litigation support providers.\n\n\n\n\n                                   22\n\n\x0c                                                            APPENDIX I\n\n\n\n\n        OBJECTIVES, SCOPE, AND METHODOLOGY\n\n      We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n      This audit was performed to assess the Criminal Division\xe2\x80\x99s laptop\ncomputer encryption program and practices. Specifically, our audit\nobjectives were to determine whether the Criminal Division complies\nwith federal and DOJ policies regarding: (1) the use of whole disk\nencryption on employees\xe2\x80\x99, contractors\xe2\x80\x99, subcontractors\xe2\x80\x99, and other\nvendors\xe2\x80\x99 laptop computers used to process DOJ sensitive and classified\ninformation; and (2) laptop computers\xe2\x80\x99 encryption certification\nprocedures for contractors, subcontractors, and other vendors\nproviding services to the Criminal Division.\n\n      Our audit covered a 6-month period from July through\nDecember 2009. We performed our fieldwork on-site at the Criminal\nDivision\xe2\x80\x99s offices in Washington, D.C. and conducted site visits at\ncontractor offices in Washington, D.C.; New York, NY; Boston, MA; and\nMiami, FL. During the audit period, we interviewed Criminal Division\ncontractor personnel with responsibilities related to encryption policy\ndevelopment, data security, and deployment practices.\n\n      In addition, we met with the COTR responsible for finalizing\ncontractual agreements between service vendors, JMD staff, and\nCriminal Division procurement and asked questions regarding\ncontractual security requirements for laptop computers. We also\nreviewed the Criminal Division\xe2\x80\x99s contract documents for litigation\nsupport services.\n\n       Our testing of Criminal Division laptop computers was conducted\nby selecting a sample of 40 of the 799 Criminal Division\xe2\x80\x99s laptop\ncomputers identified within the official ARGIS database. This non-\nstatistical sample design does not allow projection of the test results to\nall laptops.\n\n\n\n\n                                   23\n\n\x0c     We also met with Criminal Division\xe2\x80\x99s Mega 3 contractors and\nOBD 47 contractors that perform litigation support services to\ndetermine if the Criminal Division is performing contractor oversight.\n\n      The Mega 3 contracts were awarded to three primary\ncontractors: CACI International Inc., Labat-Anderson Incorporated,\nand Lockheed Martin. In addition to meeting with these three\ncontractors, we also met with Lockheed Martin\xe2\x80\x99s subcontractor L-\nDiscovery. The Criminal Division COTR and Mega 3 contractors stated\nthat Mega 3 contracted litigation support providers do not use laptop\ncomputers. Therefore, we did not have any Mega 3 laptops to test.\n\n      We interviewed 9 of 18 OBD 47 contractors, which covers 15 of\n24 DOJ contracts, and reviewed their laptops. The Criminal Division\ninformed the audit team that OBD 47 contractors did not use Criminal\nDivision-owned laptop computers to process Criminal Division data.\n\n\n\n\n                                  24\n\n\x0c                                                        APPENDIX II\n\n\n                                ACRONYMS\n\nADMIN     Office of Administration\nAFMLS     Asset Forfeiture and Money Laundering Section\nCCIPS     Computer Crime and Intellectual Property Section\nCEOS      Child Exploitation and Obscenity Section\nCOTR      Contracting Officer\xe2\x80\x99s Technical Representative\nDOJ       Department of Justice\nDOJCERT   Department of Justice Computer Emergency Readiness Team\nDSS       Domestic Security Section\nFIPS      Federal Information Processing Standards\nICITAP    International Criminal Investigative Training Assistance\n          Program\nJMD       Justice Management Division\nNDDS      Narcotic and Dangerous Drug Section\nNSA       National Security Agency\nOBD       Offices, Boards, and Divisions\nOEO       Office of Enforcement Operations\nOIG       Department of Justice Office of the Inspector General\nOMB       Office of Management and Budget\nOPDAT     Office of Overseas Prosecutorial Assistance, Development\n          and Training\nPGD       Procurement Guidance Document\nSOP       Standard Operating Procedures\n\n\n\n\n                                    25\n\n\x0c                                                                                    APPENDIX III\n\n\n                    CRIMINAL DIVISION\xe2\x80\x99S RESPONSE\n\n\n\n                                                           u.s. Department of Justice\n                                                           Criminal Division\n\n\n\n                                                           Wa<l,lngltm.lJC 205J{)\n\n\n                                                           March 26, 20 I0\n\n\nMEMORANDUM\n\n\nTO:                   .   R~ymond    J Beaudet\n                          A~,~ i "lant\n                                    In\'\'pector (jeneral\n                          Office of the l.nspector General\n\nFRO~:                     Karl Maschin~.,r-                Q   \'\n                          Acting Executive Officer\n                          Cri minal Division\n\n                          Responses to OiG Draft Audit Report: 1he Criminal Division \'s Laptop\n                          Comnuter Ellcryptioll Program alld Practices\n\n\n        This memorandum outlines the Criminal Division\'s response to [he recommendations set\nforth in the Draft Audit Report issued by the Office of the Inspector General (OlG) on March 10,\n20 10. The Criminal Division appreciates all of the work undertaken by oro in auditine Ih E~\nCriminal Division\'s encryption policies and practices, and agrees witll the recommendations set\nforth in the draft Report, subject to the clarifications detailed below. TIle Di vision recognizes the\nimportance of safeguarding Department infonnation and, for that rt:.ason, has taken immediate\nmitigative steps to address the issues identified in this Audit.\n\n         As ao -initial matter; the Criminal Division wishes to emphasize that less than two percent\nof all Di vision-owned laptops were found to be non-compliant with encryption requirements, and\nthe Division believes that this limited encryption-related non-compliance was confined entirely\nto onc section as a result of an isolated occurrence several years ago. Moreover, with respect to\nthe other info rmation security issues identified in the draft Report, including those pertaining to\nba~eline configurations and procurement, the Division believes the incidence of such issues was\nsimilarly limited. Regardless, steps have been taken to bring all identified non-compliant laptops\ninto lilll eomplillnce and 10 ensure full compli ance going forwa rd. Our efforts in thi ... regard aTC\no utlined below.\n\n                                         Responses to Recommendations\n\n        The OIG made 10 recommendations to the Criminal Division to enhance the Division \'s\nsafeguards over Department data on laptop computers. The OIG\'s r~\'Commcndalions reOeet and\nbui ld upon the longstanding policies or the Criminal Division, and consistent with the OIG\'s\n\n\n\n\n                                                     26\n\n\x0crecommendations, the Division has recently taken additional steps to improve its ability to\nprotect and secure Department infonnation on Division-owned and contractor-owned laptops.\n\nRecommendation 1.      Ensure that all current Criminal Division-owned laptops are encrypted.\n\n         The Criminal Division has a longstanding policy of encrypting Division-owned laptops\nprior L use. The Criminal Division believes that the unencrypted laptops fo und in one Criminal\n       a\nDivision sectio n were the result of an isolated purcha...e that took place years ago. All laptops\nidentified during the OIG Audit as unencrypted have since been reimaged and encrypted, or\nexcised.\n\n        To help fac ilitate (lnd achieve one hundred percent compliance going forward, the\nDivision has recently developed Sland<lrd Operating Procedures (SOPs) for laptops. The SOPs\nclearly define the steps necessary to ensure that the Division\'s laptops are I) inventoried\nappropriately in the Department\'s inventory system (ARGlS); 12) loaded with baseline\nconfigurations using DOl standards; and 3) running encryption softw<lrc. In addition, the SOl\'s\nalso require that the Information Technology (T1) Security Manager validates the encryption of\neach laptop and keeps a record of this action. Each of these steps is completed prior to deploying\nthe laptop for Dj vision u.~e.\n\n\nRecommendation 2.      Provide all laptops to Illformation Technology Management stafffor\n                       encryption prior to use.\n\n       AlIlT equipment is purchased in coordination with Information Technology\nManagement (lTM) staff. The Criminal Division\'s practice in this regard is slTuctured so that\nITM can exercise control over laptops that arc purchased by the Division, thereby ensuring\nminimum requi rements and baseline configurations arc applied. Reccnlly, Criminal Division\nleadersh ip has strongly rc-cmphasized this policy. Further, as stated above, the recently\ndeveloped SOPs also require that all laptops be provided to ITM staff for encryption prior to use.\n\n\nRecommendation 3.      Formalize laptop procurement procedures to ensure that laprops are\n                       appropriately inventoried, encrypted, and processed through Information\n                       Technology Management per Criminal Division policy.\n\n       The new SOPs ensure that Department policy and security requirements are fo llowed for\nthe implementation, admimstration, maintenance, and support of laptop management.\n\nI ARGIS, the Department\'s official property management system, is known to randomly purge\nrecords, resulting in inaccurate inventories. For this reason and olhers, the Department is\nseeking to replace the ARGIS system with a more user-friendly and reliable system in the near\nfuture. In the meantime, to address this systemic problem with ARGIS, Criminal Division staff\nwill conduct routine inventory verifications to identify lind correct any inconsistencies that result\nfrom this problem with ARGIS.\n\n\n\n\n                                                 27\n\n\x0cRecommendation 4.     Ensure that the Information Technology Management staff approves\n                      baseline configurations using DOJ standards on all laptops usedfor DOJ\n                      processing.\n\n        The recently developed SOPs ensure that laptops are encrypted and imaged using the\nminimum requirements and baseline configuration in accordance with DO} standards. These\nactions will be validated by the IT Security Managcr when he/she reviews each laptop prior to its\ndeployment, ensuring this baseline configuration and encryption,\n\n       To remedy the baseline configuration-related departures from policy identified in the\ndraft Report, a onc hundred percent inventory was completed. All identified non-compliant\nlaptops have now been re-imaged and veri fied to be consistent with 001 requirements. including\nthe Criminal Di vision Minimum Configuration Checks, vl.O.\n\n\nReoommendatioll S.    Ensure that a record ofencryption is maintainedfor all Criminal\n                      Division-oH<\'fIed laptops.\n\n       The n.-ccntiy developed laptop SOPs require that each Criminal Division-owned laptop\nreceives a validation of its encryption when the laptop is deployed. Going forward, Criminal\nDivision-owned laptops will also be subject to random checks annually, and a record of those\nchecks will be maintained by lTM staif.\n\n\nRecommendation 6.     Enhance procedures for ensuring that the official inventory database,\n                      ARGIS, maintaillS accurate and reliable information/or all Criminal\n                      Division+()wned laptop computers.\n\n        As staled above. Criminal Division administrative management is re-emphasizing that all\nIT purchases must be made in consultatiqn with ITM staff. In keeping with the recently\ndeveloped SOPs regarding laptop management, all IT equipment will be inventoricd in ARGIS\nand will receive baseline configurations. using OOJ standards and encryption, prior to being\ndeployed. In addition, the ARGIS inventory will be checked on a pcriodic basis to audit system\ncounts and correct any random purges, as discussed above. The Criminal Division also\nencourages the Depmtment to continue to explore the identified issues presented by the ARGIS\nsystem.\n\n\nRec:ummendation 7.    Ensure that al/ contractor-owne(/ laptop compmers used to process DOJ\n                      data are encrypted or require contractors to use encrypted Criminal\n                      Division provided hardware.\n\n         As outlined ill the Department\'s POD 08-04 Guidance, all work pcrfonned by off-site\ncontractors for the Criminal Division is rcquired to be stored on an encrypted device. To\nfacilitate compliance with this requiremem. the Division has adopted a new practice involving\n\n\n\n\n                                               28\n\n\x0cthe issuance of an encrypted USB storage device by ITM staff to each contractor who needs\ncomputer resources to process Department information. In order 10 comply with the\nDcpanment\'s encryption requirements, all oontraclOrs must abide by the following rules when\nusing encrypted USB storage devices:\n\n           \xe2\x80\xa2   all infonnation being produced for the Criminal Division must be stored on the\n               USB-encryptcd storage device issued by the Di"\'ision \'s ITM statT;\n           \xe2\x80\xa2   no information may be copied from the device to the computer being used;\n           \xe2\x80\xa2   timely notice of any inadvertent departure from the above rules must be made to\n               the ITM staff.\n\n        Finally, off-site contractors working for the Criminal Division m ust sign and return\n(within 10 business days) a consent form , whereby the contmctor agrees to tIlt: ltmns ami\nconditions set forth in the fonn and DOJ\' s POD 08-04 O!XIer. These contractors also receive a\ndetailed memo from the Criminal Division\' s Contracting Officer containing rules, instructions,\nand the signature sheet to be returned, as well as an attachment outlining the POD 08-04\nguidance.\n\n\nRecommendation 8.     Ensure that Criminal Division contract support providers are aware of\n                      security procedures/ r handling DOJ data in accordance with DOJ\n                                          o\n                      policy.\n\n        As stated above, off-site contractors working for the Criminal Division m ust sign and\nretwn (within 10 business days) a consent form, whereby the contractor agrees with the terms\nand conditions set forth in the fonn and DOl\'s PGD 08-04 Order. These contractors also receive\na detailed memo from the Criminal Division \'s Contracting Officcr containing rules, instructions,\nand the signature sheet to be returned, as well as an attachment outlining the POD 08-04\nguidance.\n\n\nRecommendation 9.     Implement the PGD 08-04 clause in all OBD 47 contracts.\n\n        As stated above, the Criminal Division has issued guidance thal all work performed by\nofT-site contractors for the Division is required to be stored on an encrypted devicc. This\nguidance also outlines the rules of behavior by wh ich the off-site contractors must abide when\nusing the encrypted devices. Before beginning work for the Division, contractors are asked to\ncenify that they understand and will comply with these rules of behavior. This change will\nensure that all OBD 47 contracts ~ in compliance with the PGD 08-04.\n\n\n\n\n                                               29\n\n\x0cNote: Appendix A of the Criminal Division Management\xe2\x80\x99s response was omitted at\nthe request of the Criminal Division because it contained sensitive information.\n\n\n\n\n                                      30\n\n\x0c                                                       APPENDIX IV\n\n\n\n              OFFICE OF THE INSPECTOR GENERAL\n\n             ANALYSIS AND SUMMARY OF ACTIONS\n\n               NECESSARY TO CLOSE THE REPORT\n\n\n       The OIG provided a draft of this audit report to the Criminal Division\nand their comments on the findings and recommendations were considered\nin preparing this Analysis and Summary of Actions Necessary to Close the\nReport. The Criminal Division\xe2\x80\x99s response is incorporated as Appendix III of\nthis report. In its response, the Criminal Division concurred with our\nrecommendations and discussed the actions it will implement in response to\nour findings.\n\n       We address later in this appendix the specific responses to each of our\nrecommendations and the actions necessary to close the recommendations.\nFirst, however, we respond to comments in the Criminal Division\xe2\x80\x99s response\nthat did not pertain to a specific recommendation.\n\nAnalysis of the Criminal Division Response\n\n       In response to our draft audit report, the Criminal Division stated that\nless than 2 percent of all Division-owned laptops were found to be non\xc2\xad\ncompliant with encryption requirements and that it believed that this limited\nencryption-related non-compliance was confined entirely to one section as a\nresult of an isolated occurrence several years ago. We do not agree that our\naudit found that less than 2 percent of all Division-owned laptops were non\xc2\xad\ncompliant. We tested 40 of the 799 Criminal Division-owned laptops and\nfound that 10 out of 40 laptops (25 percent) were not encrypted. The\nCriminal Division is correct that all 10 of the non-compliant laptops were in\none section, and it may also be correct that this was the result of an isolated\noccurrence several years ago. However, our report is careful not to project\nthe results of our non-statistical sample to the universe of 799 Criminal\nDivision-owned laptops. Similarly, it cannot be assumed that the 759\nCriminal Division-owned laptops we did not test are in fact encrypted.\n\n      The Criminal Division\xe2\x80\x99s response does not discuss the more significant\nlack of encryption issue we identified with respect to contractor-owned\nlaptops. We reported that seven of the nine contractors we tested\nprocessed DOJ data on unencrypted laptops. This is a troubling issue that\nmust be quickly addressed. In addition, our finding on improper baseline\nconfigurations was not limited to an isolated occurrence. In fact, two\nsections were found to have baseline configuration issues.\n\n\n\n\n                                      31\n\n\x0c  Summary of Actions Necessary to Close the Recommendations\n\n1.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to ensure that all current Criminal Division-owned\n      laptops are encrypted. This recommendation can be closed when the\n      Criminal Division provides relevant SOPs to the OIG for review and\n      evidence of encryption validation for the unencrypted laptops we tested.\n\n2.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to provide all laptops to Information Technology\n      Management staff for encryption prior to use. This recommendation can\n      be closed when the Criminal Division provides relevant SOPs to us for\n      review and evidence of implementation.\n\n3.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to formalize laptop encryption procedures to ensure that\n      laptops are appropriately inventoried, encrypted, and processed through\n      Information Technology Management pursuant to Criminal Division policy.\n      The Criminal Division has stated that it has a plan to correct systemic\n      problems and will conduct routine inventory verifications. This\n      recommendation can be closed when the Criminal Division provides\n      relevant SOPs to us for review and evidence of implementation.\n\n4.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to ensure that the Information Technology Management\n      staff approves baseline configurations using DOJ standards on all laptops\n      used for DOJ processing. The Criminal Division stated that the laptops we\n      identified have been re-imaged and verified to be consistent with DOJ\n      requirements. This recommendation can be closed when the Criminal\n      Division provides relevant SOPs to us for review, evidence of\n      implementation, and evidence that the indentified non-compliant laptops\n      have been re-imaged in accord with DOJ requirements.\n\n5.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to ensure that a record of encryption is maintained for\n      all Criminal Division-owned laptops. This recommendation can be closed\n      when the Criminal Division provides relevant SOPs and documentation of\n      encryption record implementation.\n\n6.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to enhance procedures for ensuring that the official\n      inventory database, ARGIS, maintains accurate and reliable information\n      for all Criminal Division-owned laptop computers. This recommendation\n\n\n\n                                        32\n\n\x0c      can be closed when the Criminal Division provides relevant SOPs and\n      evidence of the Criminal Division\xe2\x80\x99s ARGIS inventory audit.\n\n7.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to ensure that all Contractor-owned laptop computers\n      used to process DOJ data are encrypted or require contractors to use\n      Criminal Division provided hardware. The Criminal Division stated that it\n      would provide encrypted USB storage devices to contractors and have the\n      contractors sign a consent form agreeing to the terms and conditions of\n      the PGD-08-04 guidance. This recommendation can be closed when the\n      Criminal Division provides evidence that the procedures have been\n      implemented to include: (1) contractor receipt of encrypted USB storage\n      devices; (2) contractor-signed consent forms; and (3) the Contracting\n      Officer\xe2\x80\x99s memo with signature page regarding rules and instructions\n      outlining the PGD 08-04 guidance.\n\n8.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to ensure that Criminal Division contract support\n      providers are aware of security procedures for handling DOJ data in\n      accordance with DOJ policy. This recommendation can be closed when\n      the Criminal Division provides evidence of contractor-signed consent\n      forms and the Contracting Officer\xe2\x80\x99s memo with signature page regarding\n      rules and instructions outlining the PGD 08-04 guidance.\n\n9.\t   Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n      recommendation to implement the PGD 08-04 clause in all OBD 47\n      contracts. This recommendation can be closed when the Criminal\n      Division provides evidence of the contractors\xe2\x80\x99 certification that they\n      understand and will comply with the rules of behavior prior to performing\n      DOJ work and guidance regarding Division work being stored on the\n      encrypted USB storage device.\n\n10.\t Resolved. The Criminal Division concurred with the OIG\xe2\x80\x99s\n     recommendation to implement the conditions of the waiver pertaining to\n     the PGD 08-04 clause for Mega 3 contracts. This recommendation can be\n     closed when the Criminal Division provides evidence of that it has re\xc2\xad\n     emphasized the DOJ security requirements to all the Mega 3 contractors\n     and evidence that site visits are regularly conducted.\n\n\n\n\n                                        33\n\n\x0c'